[openssl-project] Inappropriate fallback triggered when "holes" in client protocol list indirectly exclude TLSv1.3

Viktor Dukhovni openssl-users at dukhovni.org
Wed Aug 15 15:46:37 UTC 2018

When I configure a client with a legacy TLS 1.2 protocol exclusion,
e.g. by setting SSL_OP_NO_TLSv1_2 (rather than the new min/max
version interface), as a result of the new TLS 1.3 protocol
suport configurations that previously negotiated "up to" TLS 1.1,
now fail when communicating with a TLS 1.3 server:

  $ posttls-finger -c -p '!TLSv1.2' "[]"
  posttls-finger: SSL_connect error to[]:25: -1
  posttls-finger: warning: TLS library problem: error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:../openssl/ssl/statem/statem_lib.c:1939:

If I then also explicitly disable "TLSv1.3" the connection succeeds:

  $ posttls-finger -c -lmay -Lsummary -p '!TLSv1.2:!TLSv1.3' "[]"
  posttls-finger: Anonymous TLS connection established to[]:25: TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)

I think this counts as a regression, the client should notice that
it implicitly disabled TLS 1.3, and therefore not react to the
server's version sentinel by aborting the connection.  Thoughts?


More information about the openssl-project mailing list